52,000 Patients Affected by Email Security Breaches in Two Maine Healthcare Providers

A recent email security breach at InterMed, one of the biggest healthcare companies in Southern Maine, resulted in the potential access of the information of about 30,000 patients.

InterMed discovered on September 6, 2019 that a third-party accessed the email account of an employee without authorization. According to the investigation results of the breach, the account compromise occurred on September 4 and there were three more employee email accounts that were compromised from September 7 to September 10, 2019.

The messages and attachments in the breached email accounts stored patient data including names, birth dates, clinical data, and health insurance details, and Social Security numbers for 155 people. The breach affected only the email accounts and not the electronic medical record system. But it cannot be ascertained if the attacker viewed the emails in the compromised account.

InterMed promptly secured the compromised email accounts and sent breach notifications to the affected patients on November 5. The provider also offered free credit monitoring and identity theft protection services to the people whose Social Security number was possibly exposed. Right now, InterMed is improving its compliance with email best practices and boosting its security against further cyberattacks.

22,000 Present and Past Clients Affected by Sweetser Breach

Sweetser, another healthcare provider in Saco, Maine, recently reported an email system breach. This mental health services provider discovered on June 24, 2019 the potential email account breach upon noticing suspicious activity in the account. A digital forensics firm investigated the breach and confirmed that the incident affected the email accounts of other employees. An unauthorized person accessed the accounts from June 18 to June 27, 2019.

Sweetser said that on September 10, 2019 the investigators confirmed finding patient information in one or more compromised email accounts. On September 13, 2019, the breach report was submitted to the Department of Health and Human Services’ Office for Civil Rights indicating that 22,000 patients were impacted. Sweetser publicly announced the breach and began mailing the notification letters to patients on October 25, 2019.

The email accounts contained different types of information from patient to patient but included one or more of the following: names, addresses, phone numbers, birth dates, health insurance data, Social Security numbers, drivers license numbers, identification numbers, Medicare/Medicaid details, payment/claims data, diagnosis codes, and data on patients’ health conditions and treatments.

Sweetser offered credit monitoring and identity theft protection services for free to the people whose Social Security number was likely exposed.